One knows numerous handheld mobile devices such as smart phones and tablets also known as handheld devices, handheld computers or simply handhelds. One also knows “secure device”, or “trusted device” or “user trusted device”, etc., which are handheld companion devices, meant to be connected or coupled to a host. Such devices typically are USB devices, such as security token (or hardware token, or authentication token, USB token), typically the size of a USB key. There is no general definition of a secure device in textbooks. This probably is a consequence of the fact that security for a device cannot be defined in absolute terms but only in a given context, called “security model”. Such a model describes the overall system and security assumptions of its constituent parts (e.g., a secure device, a host, a server, communication protocols, etc.). Moreover, this model describes scenarios in which the system can be attacked (“threat model”). Then, a “security device”, i.e., one part of the system, will be considered to be secure if it is able to achieve its function vis-a-vis the threats given the security assumptions hold, that is, in the given threat model. In that sense, a “secure device” is a device that is able to perform at least one of its functions securely with respect to at least one type of threat in a given threat model. It can hence be considered a trusted device to perform this function. The reader may refer to the following set of standards known as “Common Criteria”, which aim at certifying levels of security for computer security systems (hardware and/or software).
It is for instance well-accepted by persons skilled in the art that a secure device is secure when it is equipped with very limited interfaces towards the “outside word” and is provided with means for protecting sensitive material. It may for example use tamper resistant hardware to store private credentials. Information that flows in via these interfaces is subject to careful security checks to ensure that it is authentic (regarding its origin) and expected when received. If that is not the case, then no action is taken by the device. Similarly, when some information is sent from the device, it is packaged in such a way that certain external entities can perform similar (security-related) validations.
For online transactions, a solution which has been developed is the so-called Zone Trusted Information Channel (or ZTIC for short). The ZTIC is an example of a handheld companion device, which is a secure device, inasmuch as it is capable to perform at least one of its functions securely with respect to one type of threats. It is a non-programmable device, designed for the authentication of transaction data. Since the ZTIC maintains a secured end-to-end network connection to the server, the ZTIC itself is tamper-proof against malicious software attacks and as it has its own input and output components independent of the host it connects to, the data shown on the ZTIC display is genuine. The ZTIC security concept usually depends on the identification of a reasonably small subset of the data visible on the screen of the host device, e.g., transaction data in the case of online banking. Typically, the server prescribes which data is considered critical (and accordingly requires explicit off-host verification) and which data is not critical.
Handheld mobile devices (hereafter MDs) such as smart phones and tablets are increasingly becoming the platform of choice on which users execute their applications. These mobile device platforms are typically capable of rotating the screen content depending on the way the user orients the device. Screen-(re)orientation is usually based on sensor outputs. MDs supporting screen-reorientation typically include a 3-D accelerometer capable of measuring static acceleration in order to determine the physical orientation in space. Based on the x-, y- and z-axis output of the 3-D accelerometer the platform operating system autonomously re-orients the screen contents and/or generates orientation-change events that applications can subscribe to in order to perform the re-orientation or, in certain but rare instances, suppress the autonomous re-orientation if undesired.